W3C home > Mailing lists > Public > ietf-http-wg@w3.org > January to March 2013

Re: #409: is parsing OBS-FOLD mandatory?

From: Mark Nottingham <mnot@mnot.net>
Date: Sun, 20 Jan 2013 20:26:42 +1100
Cc: "ietf-http-wg@w3.org Group" <ietf-http-wg@w3.org>, Roy Fielding <fielding@gbiv.com>
Message-Id: <85B3A89F-264E-4BED-9D76-2E0F3B9BB4EC@mnot.net>
To: Willy Tarreau <w@1wt.eu>

On 20/01/2013, at 6:44 PM, Willy Tarreau <w@1wt.eu> wrote:

> Hi Mark,
> 
> Sorry for being silent so long, I was quite busy last two weeks :-/
> 
> On Sun, Jan 20, 2013 at 01:37:26PM +1100, Mark Nottingham wrote:
>> Anyone? Bueller?
>> 
>> To make it clear -- I propose we downgrade recipient support for OBS-FOLD to
>> a prose recommendation. 
> 
> Given the security impact it can have if processed the lazy way, we must at
> least have something normative. Practically, I don't know how this can be
> put into valid terms in a spec, but I'd like to see something which mandates
> detecting OBS-FOLD and then leaves the choice to the implementation to accept
> it or to reject the message. What I don't want to see is implementations which
> consider that the space is part of the next header field name, and which later
> trim the spaces and take this header field for another one. And we know for
> sure that lazy implementations are lazy in multiple areas (typically all
> those quickly written in scripting languages).

Understood.

I think it's a matter of either parsing obs-fold, or rejecting a message that has whitespace after a newline...

Current:

"""
Historically, HTTP header field values could be extended over multiple lines by preceding each extra line with at least one space or horizontal tab (obs-fold). This specification deprecates such line folding except within the message/http media type (Section 7.3.1). Senders MUST NOT generate messages that include line folding (i.e., that contain any field-value that matches the obs-fold rule) unless the message is intended for packaging within the message/http media type. Recipients MUST accept line folding and replace any embedded obs-fold whitespace with either a single SP or a matching number of SP octets (to avoid buffer copying) prior to interpreting the field value or forwarding the message downstream.
"""

Proposal:

"""
Historically, HTTP header field values could be extended over multiple lines by preceding each extra line with at least one space or horizontal tab (obs-fold). This specification deprecates such line folding except within the message/http media type (Section 7.3.1). Senders MUST NOT generate messages that include line folding (i.e., that contain any field-value that matches the obs-fold rule) unless the message is intended for packaging within the message/http media type. Recipients MUST either:

  - accept line folding and replace any embedded obs-fold whitespace with either a single SP or a matching number of SP octets (to avoid buffer copying) prior to interpreting the field value or forwarding the message downstream, or

  - reject a message with line folding present. Servers can do for requests by responding with 400 Bad Request and a representation explaining the condition; clients can only discard the message.

In particular, recipients who choose not to implement obs-fold processing (as described above) MUST NOT accept messages containing headers with leading whitespace, as this can expose them to attacks that exploit this difference in processing.
"""


--
Mark Nottingham   http://www.mnot.net/
Received on Sunday, 20 January 2013 09:27:12 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Sunday, 20 January 2013 09:27:14 GMT